Regulatory actions will join other tools, such as indictments and sanctions, in the U.S. effort to promote cyber norms.
Government officials are looking to the federal regulatory process as one possible tool to compel other nations to practice norms of good behavior in cyberspace and to punish nations that step out of bounds, a State Department official told Nextgov.
The official declined to specify how the U.S. might use existing regulations or the federal rulemaking process to punish specific nations, saying those determinations would be made on a case by case basis.
“There are a lot of regulatory interactions with the U.S. government that could potentially be used in creative ways,” the official said.
Any regulatory actions the U.S. government contemplates against cyber adversary nations will be presented to President Donald Trump along with more traditional methods for punishing bad cyber behavior, the official said.
Those traditional methods include indicting state-backed hackers, sanctioning hackers and the governments and other organizations that support them, and “naming and shaming” cyber miscreants on the world stage.
“It’s not always just one action,” the official said. “You want to have many options available for the president to be able to use in the right circumstances.”
The focus on regulations as a tool to compel good behavior in cyberspace comes as the State Department is trying to “develop tailored strategies for deterring each of its key adversaries in cyberspace,” according to a “recommendation to the president” released in May.
The recommendation also describes developing “a more proactive approach [and] broader response options.”
Mixed Success So Far
Since 2014, the Justice Department has indicted Chinese, Russian and Iranian government-backed hackers for attacks against U.S. targets.
The Treasury department also sanctioned Russian officials for digital meddling in the 2016 U.S. election and for the 2017 NotPetya malware attack and sanctioned North Korean officials for hacking Sony Pictures Entertainment in 2014.
Those efforts have had mixed success, however.
Analysts widely believe that the threat of cyber sanction pressured Chinese President Xi Jinping into a no-commercial hacking agreement with the Obama administration in 2015. That deal produced a significant reduction in Chinese industrial espionage, according to cyber intelligence firms.
On the other hand, a bevy of sanctions and indictments has had little effect on cyber operations conducted by the Russian government or by hacking groups closely tied to it.
There’s no definitive guide for how nations should and shouldn’t behave in cyberspace, though there’s a general agreement that broad principles of international law apply online just as they would offline.
The U.S. has pushed a slate of peacetime cyber norms that were endorsed by the G20 in 2015, including that nations shouldn’t hack each other for economic gain, shouldn’t conduct destructive hacks against each other’s critical infrastructure and shouldn’t target each other’s cyber emergency responders.
FCC Action Not a Template
The Federal Communications Commission gave a preview of how a regulator might punish bad cyber behavior in March when it began the process of restricting recipients of federal telecom money from contracting with nations that the agency believes pose a national security risk to the U.S.
Commissioners acknowledged that two likely targets would be Huawei and ZTE, the Chinese telecom giants that U.S. intelligence officials say could be tools for Chinese government spying and that Congress is in the process of barring from federal networks.
The FCC action is specific to that agency and is not part of a larger government strategy to counter digital spying, the State official said.